IE users get new protection against potent form of malware attack

The bane of browser security, "use-after-free" bugs get harder to exploit in IE.

Microsoft developers have fortified Internet Explorer with new protections designed to prevent a type of attack commonly used to surreptitiously install malware on end-user computers.

The "isolated heap for DOM objects" made its debut with last week's Patch Tuesday. Just as airbags lower the chance of critical injuries in automobile accidents, the new IE protection is designed to significantly lessen the damage attackers can do when exploiting so-called use-after-free flaws in the browser code. As the name suggests, use-after-free bugs are the result of code errors that reference computer memory objects after they have already been purged, or freed, from the operating system heap. Attackers can exploit them by refilling the improperly freed space with malicious code that logs passwords, makes computers part of a botnet, or carries out other nefarious behavior.

"The bag in this case is IE's memory space, and this memory space has objects, each object is supposed to be tracked," Chen wrote in an e-mail to Ars. "Sometimes, IE fails to keep track properly, so in some cases the object it wants is already gone (freed), [but IE] still thinks it's there. When you see this opportunity, it's possible you can refill this freed space with your fake one, that way when IE picks it up, [and] tries to use it, it ends up going WTF (a crash). Technically speaking, if you're able to control/redirect this crash, you gain arbitrary code execution."

The IE mitigation introduced last week uses separate heap memory for different object types. By reducing the types of objects that can be allocated to a given location, the protection lowers the chances an attacker exploiting a use-after-free error will succeed in being able to achieve code execution. To borrow from Chen's analogy, IE will now specifically inspect the Oreo before beginning to snack on it. Researchers at security firm MWR Labs recently delved much deeper into the technical details of the new IE protection.

"I think it should make bug hunting more painful, as well as exploitation," Chen wrote. "It looks like it's meant to kill all the common paths that result in use-after-frees. To attackers, this means we'll have to look for some other way to exploit IE again, and nowadays it's a pretty time-consuming task because of multiple mitigations."

Chaouki Bekrar, CEO and head of research at a firm that regularly collects six-figure cash prizes at the annual Pwn2Own hacking contest, agreed the new IE mitigation will make it much harder for attackers to successfully exploit use-after-free bugs. As a result, many bugs that previously would have resulted in code execution may be reduced to crashes. Still, he advised users to not become too sanguine.

"Any mitigation has its own limitations, and it's always possible for a team of motivated researchers to achieve reliable code execution," Bekrar, of the France-based Vupen, told Ars. "For example, [as] demonstrated recently at Pwn2Own where Vupen has successfully managed to compromise Chrome, Firefox, and Internet Explorer all on Windows 8.1."

Promoted Comments

Why are these 'use-after-free' bugs even possible? Should the browser not just go "The object is not in memory anymore.... disregard!"

That's kind of the point. Where the code SHOULD have released the object/pointer/etc when it freed memory, it isn't doing so. As far as the code is concerned later on, that memory ISN'T free, even though the rest of the system freed it.